How Out-of-Office Replies Put You at Risk

Below:

Next story in Tech and gadgets

Ah, the innocuous out-of-office notification message. Who in the
corporate world hasn't used it at one time or another?

Sure, the out-of-office function built into Microsoft Outlook and
similar email
software is great for letting colleagues, customers, vendors
and even friends and acquaintances know that you're lying on a
beach in Hawaii, sipping a Mai-Tai or two — and that you won't be
able to respond.

Since you can't, or don't want to, respond while you're on
vacation or away for some other reason, you include a way for
people to contact you in an emergency.

You also include the
name and contact information of your boss or co-worker.
You'll probably also tell people how long you'll be away and when
you'll be back in the office.

No big deal, right?

Wrong. You never know who's going to see that information,
according to security experts.

"In many enterprises today, guarding against data breaches and
targeted attacks is one of the top concerns of IT
administrators," Trend Micro researcher Roland Dela Paz said last
fall
in a blog post.

"One of the things that administrators guard against is
reconnaissance and targeting of any potential high-value
personnel who may fall victim to a targeted attack," Dela Paz
noted. "A less obvious source of information leakage, however, is
the humble out-of-office notification."

Security expert Andy O'Donnell, network security guide at
About.com, has seen a lot of "crazy stuff" in out-of-office
replies.

"It's amazing what people put in them and reveal about
themselves," O'Donnell said. "My rule of thumb is, 'If you
wouldn't tell a room full of strangers the information, you
shouldn't put it in your out-office-reply.'

"One of the things people put in is their chain of command — who
their supervisor is."

"They could [use that information] and contact a department of
that company claiming to be the supervisor of that person and
they could get that person's Social Security number if people
aren't thinking on their feet," O'Donnell said.

"If someone wants to track you down at that conference, they'll
know exactly where you're going to be, what your name is, your
cellphone number — just a lot of information that doesn't need to
be out there and could be going to anybody, potentially."

One of the problems is that companies aren't really aware of the
security risks of out-of-office replies.

"I have a newsletter that I send out to subscribers for
About.com, and when my newsletter goes out, it will prompt an
out-office-reply for a lot of people," O'Donnell said. "There's
so much information that people put in those, all their contact
information, what their supervisor's name is, who to contact for
invoicing or things like that.

"They put a lot of their business in those replies when they
don't know who's going to get them. It could be a complete
stranger on the Internet, or a spammer or a
scammer. Anybody could send you an email, and that auto-reply
is going to do its job and send a reply back to them."

How to hold back

O'Donnell has some tips for users and IT administrators to create
safer out-of-office notification messages:

— Set up your mail client to send different out-of-office
notifications to people outside your organization than to people
inside your company.

— Have a security policy in place for rules of behavior. Have a
user agreement so users are aware of what the company's policies
are in terms of information security and protecting information.

"Companies should include what information can be divulged in
out-of-office notifications in this policy document," O'Donnell
said. "For example, 'You will not list your chain of command in
an out-of-office reply.'"

— Don't reveal too much information. Be intentionally vague. If
you have to leave an auto-reply, don't say you'll be in Hawaii;
say you'll be unavailable. Instead of giving strangers your
cellphone or home phone number, tell them you'll be checking your
email.

— Leave all of your personal information out of your signature
block.

"If you wouldn't give this information to a complete stranger,
don't include it in your out-of-office notification," O'Donnell
said.